Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches? It involved a remote control door lock and a security camera. Many people – not just security people – winced at the idea. After all, what could possibly go wrong?
Well just a couple of weeks later we now know the FIRST answer to that question.
That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet. Neither of those channels are terribly secure.
Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen. The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.
The hack is incredibly simple and a well known attack. The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet. That is not as cheap, easy or pretty as doing it via WiFi. If you send that command, the camera will keep getting kicked off or really will never get back online. The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.
At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera. Now the crook sends a lock command and everything looks like it should look.
After stealing all your stuff, the bad guy exits the house via a different exit (door or window).
The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not. Hopefully, the driver will verify that the door is actually locked before he leaves.
These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.
Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house. If the door is unlocked and the customer is in another city or state, what good does a call do?
And, attacks often become more sophisticated over time. This is only the very first attack.
Stay tuned, this game is not over yet.
Information for this post came from Wired.